California’s strict new privacy law, the California Consumer Privacy Act (CCPA), gives residents much more control over their private data and has spawned several other states to consider their own stringent privacy legislation. As a result, organizations that develop mobile apps must safeguard sensitive information or risk regulatory fines.
The CCPA took effect on Jan. 1, 2020, and is currently the toughest, most comprehensive privacy law in the United States. It gives California residents the right to know what personal information companies collect and sell. If they wish, consumers can also demand that companies delete the data and prohibit them from collecting and selling their information.
With no federal privacy law in sight, other states have followed California’s lead to pursue their own privacy legislation. Here’s a closer look at the new privacy laws in California, Maine and Nevada and some of the proposed legislation across the nation – and what companies that develop mobile apps need to do about it.
Privacy Concerns Crop Up Across the Country
In 2019, Maine and Nevada passed their own privacy laws, roughly a dozen introduced legislation, and five other states — Connecticut, Hawaii, Louisiana, North Dakota and Texas – launched task forces to study the matter, according to the International Association of Privacy Professionals.
States that built momentum toward their own CCPA-like laws last year are continuing their efforts in 2020. In January, New Hampshire and Washington state lawmakers reintroduced their privacy bills and the New York Privacy Act continues to wind its way through the New York legislature, Security Boulevard reports.
While initiatives to create a federal privacy law have yet to gain traction, Congress proposed a variety of data privacy bills last November. “As more states follow California’s lead and push forward with new privacy laws, we’ll likely see increased pressure on the federal government to take a more proactive role in the privacy space,” Attorney Mary Race told CNET in January.
Scrutinize the Specifics of CCPA
The CCPA, which was inspired by the European Union’s General Privacy Data Protection Regulation (GDPR), affects any company that does business with California residents, not just California-based businesses.
More specifically, the new law applies to any for-profit company that meets one of three criteria: earn $25 million or more in annual gross revenue; collect and sell personal information of 50,000 or more California residents; or earn more than half its yearly revenue by selling consumers’ personal information. The upshot is that many businesses in the U.S. and across the globe must adhere to the CCPA.
According to the law, personal information includes browser history, biometric information, geolocation data and lists of products or services purchased. It not only includes data gathered electronically through the Internet or mobile apps, but also paper records.
The CCPA also requires companies to implement and maintain reasonable security procedures and practices to protect consumer data across all facets of web, mobile and paper records. If companies suffer data breaches, California’s attorney general can fine businesses up to $7,500 for each intentional violation and up to $2,500 for each unintentional violation. If a breach occurs, California residents can also file individual or class-action lawsuits and demand up to $750 per California resident and incident.
Explore State and Federal Privacy Efforts
In contrast to the CCPA, Maine and Nevada crafted privacy laws that are more narrowly focused. Maine’s law, which takes effect on July 1, 2020, prohibits Internet service providers from using, selling or allowing access to customers’ personal information unless the customers allow it.
Nevada’s law, which went into effect last October, allows consumers to prevent an website or online service from selling their information.
Elsewhere, the proposed privacy initiatives in Washington state and New York are tougher than the CCPA in some ways, according to published reports. For example, Washington state’s proposed bill offers several provisions that go beyond CCPA, including requirements to perform privacy risk assessments, limitations on secondary uses of data and data minimization, which requires companies to limit the processing of consumer data to only what is necessary, according to the non-profit Future of Privacy Forum.
The New York Privacy Law is broader than the CCPA in several ways, including making all companies that do business in New York state a data fiduciary, meaning businesses must balance their duty to shareholders with their duty to protect consumers’ privacy. And while companies must earn $25 million a year in gross revenue to be subject to the CCPA, the New York Privacy Act has no minimum revenue requirement and affects companies of any size that collects information on New Yorkers, said New York State Sen. Kevin Thomas, the bill’s author.
On the federal front, Congress isn’t likely to pass a privacy bill in 2020 because senators are far apart on the issues of preempting state law and giving consumers the right to sue, according to a recent Bloomberg Law article.
In the meantime, the CCPA serves as the current de facto national standard and companies that comply with it now can more easily adhere to other more stringent laws that get enacted in the future, said Lori Kalani, co-chair of Cozen O’Connor’s state attorneys general practice in Washington told Bloomberg Law.
Focus on Mobile AppSec Testing
The arrival of the CCPA and the bevy of privacy legislation in the works illustrates how data privacy is top of mind for consumers and politicians across the country. As a result, mobile app business owners, developers, and security, legal, risk and compliance teams all must be mindful about how those apps collect, transmit and store sensitive data.
Modern mobile apps today typically collect dozens of points of Personally Identifiable Information (PII), including name, username/password and more, including mobile-specific features like geolocation, device serial number and mobile advertising tracking. These organizations must build in privacy and security measures early in the development process and test those mobile apps for privacy and security risks to prevent data exposures.
To learn how business leaders, product managers and product owners can better secure their apps and protect user privacy, download the NowSecure ebook, “Building Privacy By Design Into Your Mobile App Portfolio.”